Skip to main content
Okta lets your team sign in to your Base44 enterprise workspace with their existing Okta credentials. You create an OIDC application in Okta, allow Base44 to use it, then add its details to your workspace. To add and update members automatically, set up SCIM provisioning for Okta separately.
Workspace single sign-on is available on enterprise workspaces only. If you do not see this option, contact your Base44 account team.

Before you begin

Make sure you have:
  • Owner or admin access to your Base44 enterprise workspace.
  • Admin access to your Okta organization.
  • Your workspace ID, the string of characters after /workspace/ in your enterprise workspace URL.
  • Your Okta domain, the part before .okta.com (for example, your-company).

Set up single sign-on

Create an OIDC application in Okta, allow Base44 to use it, then add its details to your workspace.

Step 1: Create an OIDC app

Create the OIDC application that represents Base44 sign-in. To create the app:
  1. In the Okta Admin Console, go to Applications > Applications, then click Create App Integration.
  2. Set Sign-in method to OIDC - OpenID Connect.
  3. Set Application type to Web Application.
  4. Click Next.
Okta Create a new app integration dialog with OIDC and Web Application selected

Step 2: Configure the app

Set the app name, redirect URIs, and who can use it. To configure the app:
  1. Enter an App name, for example Base44 - your workspace name.
  2. Under Sign-in redirect URIs, add your workspace callback URL, replacing {{WORKSPACE_ID}} with your workspace ID: https://app.base44.com/api/workspaces/{{WORKSPACE_ID}}/auth/sso/callback
  3. Under Sign-out redirect URIs, add https://app.base44.com.
  4. Under Controlled access, choose who can use the app, for example Allow everyone in your organization to access.
  5. Click Save.
Okta application sign-in and sign-out redirect URI settings

Step 3: Get your credentials

From the app’s General tab, copy:
  • Client ID
  • Client Secret
  • Your Okta domain, the subdomain only (for example, your-company, not your-company.okta.com).

Step 4: Allow Base44 in your authorization server

Okta only issues tokens to apps that an authorization server policy allows. To add an access policy rule:
  1. Go to Security > API > Authorization Servers, then open the default server.
  2. On the Access Policies tab, click Add Rule, or edit an existing rule.
  3. Name the rule (for example, Allow Base44), set the grant type to Authorization Code, and apply it to your Base44 app (or all clients), all users, and any scopes.
  4. Click Create Rule.
In your Base44 app’s General tab in Okta, turn Federation Broker Mode off. With it on, sign-in can fail with “You are not allowed to access this app.”

Step 5: Add your details in Base44

Add the OIDC app credentials to your workspace. To configure SSO in Base44:
  1. Click your workspace name at the top left of your account.
  2. Click Settings.
  3. Click Auth and security.
  4. Enable the toggle next to Single Sign-On Configuration.
  5. In Select SSO Provider, choose Okta.
  6. Enter your Client ID, Client Secret, and Okta Domain (the subdomain only).
  7. Keep Scope as openid email profile.
  8. The Discovery URL fills in automatically from your Okta domain.
  9. Click Enable SSO.
Base44 Auth and security panel configured with Okta as the SSO provider
The auto-generated Discovery URL is correct only for a standard Okta org on its default .okta.com domain. If either case below applies, the default is wrong and sign-in fails, so set Okta up through Advanced / Manual configuration instead and enter the Discovery URL by hand:
  • Use the /oauth2/default Discovery URL: Point Base44 at your Okta authorization server so the email claim is returned: https://your-domain.okta.com/oauth2/default/.well-known/openid-configuration. If your org does not have a custom authorization server, this address returns a 404. In that case, use https://your-domain.okta.com/.well-known/openid-configuration and map the email claim in your Okta app profile.
  • Custom Okta domain: If your team signs in through a custom branded domain (for example, login.your-company.com), use that exact domain in the Discovery URL, not the default your-company.okta.com. Okta issues tokens from the domain people sign in through, so a mismatch fails issuer (iss) validation and sign-in breaks.

Step 6: Assign users

People can sign in once they are assigned to your Okta app. To assign users:
  1. In your Okta app, go to the Assignments tab.
  2. Click Assign, then Assign to People or Assign to Groups.
  3. Select the users or groups that should be able to sign in, then click Assign and Save and Go Back.
To add and update members automatically instead of assigning them by hand, set up SCIM provisioning for Okta.

FAQs

Select a question below to learn more about Okta SSO.
Add an access policy rule on the default authorization server (Step 4), turn off Federation Broker Mode in the app’s General tab, and confirm the user is assigned to the app.
Okta’s default authorization server does not always return the email claim. Set Okta up through Advanced / Manual configuration and use the /oauth2/default Discovery URL so the email is returned. See the note in Step 5.
Yes. Okta OIDC apps do not support SCIM, so SSO uses an OIDC app and SCIM uses a separate SCIM 2.0 app. See SCIM provisioning for Okta.